The EDPB Website Auditing Tool, or EDPB WAT, was recently released to help monitor websites’ compliance with the GDPR. It is a free software project that is meant to help analyze websites. The EDPB Website Analysis tool uses Chromium as a webdriver to access a URL. It then will assess which external resources and cookies are loaded on the relevant website. It is important for companies to regularly assess their websites. In doing this, they can ensure that they have a complete understanding of their processing activities. It is the responsibility of the data controller to ensure that one’s website is compliant with the GDPR.
The EDPB audit tool can be installed directly from the source code or through pre-built releases. There is a version for easy installation on Linux, Windows, and MacOS machines. One can also download the official source code of the EDPB WAT tool rather than the pre-compiled application file.
Capabilities of the EDPB Website Auditing Tool
With the tool, individuals are able to start new analyses of a website. There is the possibility to create multiple scenarios such as:
- No cookies accepted;
- Reject all;
- Accept all; and
- Any other categorization of cookies available on the website for example: performance, marketing, etc.
For each of these scenarios, the cookies and external sources loaded are collected by the tool to form a report. The user of the tool is then able to test out different banner and consent box options. This allows for them to inspect how the user experience changes. In assessing various consent box options, the tool allows for easy verification that all the cookies are correctly categorized. This ensures that no non necessary cookie is loaded without permission from the user.
By using the EDPB WAT, one is able to analyze different aspects of a website such as:
- Which cookies are loaded for various consent scenarios;
- Local storage that is being used;
- Verifying the use of HTTPS or SSL to protect the flow of data to and from the website;
- Traffic analysis to identify what requests are being made;
- Identifying if any web forms on a website are being set with non-encrypted transmission to ensure that what could potentially be personal data is being sent securely; and
- The presence of any web beacons.
How to get started
The program can be installed through an application installer for Linux, Windows, and MacOS. One is also able to download the source code directly. For easy installation, using the pre-configured installers is recommended for simplicity. The EDPB also released official guidance to use in conjunction with the tool and that can be accessed here.
Testing out the EDPB WAT: An example
After installing EDPB WAT, one can easily test out the capabilities of the tool by requesting a specific URL for the tool to access. Consider the URL: website.com which is owned by CompX and has a cookie banner with “Accept All” and “Reject All” as the only two options for consent.
Since there is a cookie banner present, there are three scenarios that we need to assess.
- Accept All → When the option to “Accept All” is chosen, review all of the scripts, resources and cookies that are loaded.
- Reject All → When the option to “Reject All” is chosen, it is important to review
- No consent given → It is important to see if any cookies, resources or scripts are loaded even if one does not interact with the cookie banner.
The tool will then access that URL and data will be collected based on the consent option chosen. When assessing the website scenarios one can label each scenario as being: compliant, not compliant, or indeterminate. This ability also translates to the labeling of specific cookies that are set by a website as well. If website.com was found to be using third party advertising cookies when the option to Reject All is chosen, that would be in violation of the GDPR and ePrivacy directive.
Regular use of this tool on one’s own website and other websites allows for an understanding of which technologies are used by competitors as well as potentially granting the upper hand in contract negotiations, in order to prove a higher level of compliance to EU regulations. The WAT tool also allows for the manual creation of a knowledge base for cookies which can be created over time through the assessment of various websites.
Screenshot of EDPB Auditing Tool
How is the EDPB Website Auditing Tool helpful for businesses?
It is important to be aware of all of the resources used by a website in order to ensure compliance with the GDPR. This tool allows for a quick overview of what resources are called, and how these are placed, or utilized by a website. In order to maintain compliance with the GDPR, it is important to understand how a website might impact a visitor through potentially the setting of cookies, usage of local storage or calls to external resources.
The performance of regular website audits by a business can help to ensure:
- compliance with legal requirements such as the GDPR and the ePrivacy Directive;
- a way of addressing potential unknown risks on a website such as unintentionally set cookies;
- trust and transparency with website visitors; and
- improved website performance.
The EDPB WAT can be helpful to determine the current level of compliance for a website or an organization. It is important to remain cognizant of how a website changes over time. Through using this tool, a website owner can assess how the various technologies that make up the website impact the user e.g. WordPress, as the largest website content management system powering over 40% of websites on the Internet. Website developers might add plugins to their website that add cookies unknowingly.
Through a quick scan using the EDPB WAT one is then able to easily find out about the oversight and fix the issue before it becomes a citable instance of noncompliance under the GDPR and/or ePrivacy Directive.
How we use the EDPB Website Auditing Tool
TechGDPR performs website audits on behalf of organizations to analyze the current state of compliance for a website. With the release of this new tool by the EDPB, we will integrate the use of the EDPB WAT into the technical assessment methodology. By leveraging this tool, we at TechGDPR aim to enhance the effectiveness and efficiency of the website audit performed on behalf of our clients. When appointed as an organization’s DPO, TechGDPR performs annual website audits to work towards GDPR and/or ePrivacy compliance. Feel free to reach out to TechGDPR if you are interested in having an in-depth, independent audit carried out beyond the capabilities of the EDPB WAT tool.